The CyberWire Daily Podcast 7.5.18
Ep 634 | 7.5.18

Catphish and Charming Kittens. Data-sharing receives more scrutiny. European copyright law won't be fast-tracked. ZTE gets some relief. Juggalos and Juggalettes defeat facial recognition tools.


Dave Bittner: [00:00:00] Hey, everybody. A quick reminder that the latest episode of our "Hacking Humans" podcast was published today. Those are no longer appearing in this feed. So if you haven't done so, go ahead and find "Hacking Humans" and subscribe. You can find it on iTunes and all the usual places where you find your podcasts. We'd also appreciate it if you leave a review. It's one of the best ways to help people find our new show. Thanks so much. Catphishing the IDF. Charming Kitten uses itself as bait. Facebook and Google face scrutiny over sharing users' information with third parties. The Pirate Bay is back after its hiatus, and it's back to cryptojacking. The European Parliament voted today to reopen debate on its controversial copyright legislation. ZTE received some perhaps temporary, perhaps more enduring, relief from U.S. sanctions. And confusion to the Muggalos facial recognition software.

Dave Bittner: [00:01:05] And now a word from our sponsor. Who's that sponsor, you say? Well, it's none other than the mysterious team behind the spectacularly successful F.A.K.E Security booth at RSA 2018. You remember. It was the one with no vendor name, no badge scanning and the charismatic snake oil salesman pitching his imaginary cybersecurity cures for all that's ailing businesses around the world. So who was behind that booth? Why did they do it? Who's really sponsoring our show today? Get the answers you've been dying to hear and hear the story behind the booth at That's And we thank whomever it is for sponsoring our show.

Dave Bittner: [00:01:59] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 5, 2018. The Israeli Defense Forces say, according to reports in Infosecurity magazine and elsewhere, that Hamas has succeeded in compromising smartphones belonging to Israeli soldiers by using fictitious profiles, catphish, on a dating app. Several-hundred soldiers are said to have been affected in what the Israeli Defense Forces are calling Operation Broken Heart. The catphish then invite the soldiers to download a malicious app, either romantically themed, like a dating app called Glance Love, or sports themed, especially ones that offer World Cup updates, like Golden Cup. One gambit the catphish use is claiming to be a recent immigrant to Israel, which is intended to explain the sometimes-imperfect Hebrew they write.

Dave Bittner: [00:02:57] The payload carried by the Trojanized apps is interesting and conveys a sense of what the attackers are interested in. The malware is believed capable of turning on device microphone and camera and of accessing phone and email contacts. There seems to be particular interest in soldiers stationed near Palestinian territories and, of course, in gathering any information available on Israeli military installations.

Dave Bittner: [00:03:23] The Iranian threat group Charming Kitten is building bogus websites purporting to be connected with ClearSky, the Israeli firm that's been tracking Charming Kitten for some time. ClearSky says the malicious site uses the URL The phishbait being dangled is ClearSky's reporting on the Iranian APT. The threat group copied pages from ClearSky's public reports and changed one of them to offer a sign-in option.

Dave Bittner: [00:03:53] Facebook has received unpleasant scrutiny over its sharing of data with third parties. It appears that Google may have shared data originating with Gmail users. In this case, Google has enabled certain developers to access not just Gmail metadata, but the contents of emails themselves. It seems that Gmail users gave Mountain View permission to share reading rights to their emails when they agreed to the end user license agreement. It's worth reflecting on how the purveyors of Gmail monetize it. This would appear to be one-way. And, as is so often the case, the small print of the EULA, giveth to others because it taketh away from the user. But the users did agree to it, after all.

Dave Bittner: [00:04:37] You may recall that The Pirate Bay had been offline for about a week. It's returned. Unfortunately, it's returned with a little something extra, a quiet cryptojacker added to its features. This isn't a first for The Pirate Bay. It installed cryptominers in its users' devices back in September of 2017 but soon stopped the practice after users complained. But, of course, users probably shouldn't be surprised that Pirate Bay would return to its cryptojacking ways.

Dave Bittner: [00:05:08] The European Union today resumed deliberation over its proposed copyright law, regarded by opponents as a mean killer at the very least and possibly worse. At issue in the vote today was whether to reopen debate on the law, which the European Parliament's Legislative Committee had passed. The full parliament voted to reopen debate by a 318-278 majority, and so the bill will not be fast-tracked, the normal course of EU legislation.

Dave Bittner: [00:05:36] Sir Paul McCartney likes this particular law, but others do not. Wikipedia's Spanish, Italian and Polish language service has been suspended in protest. The two most controversial aspects of the legislation are Articles 11 and 13. As explained in TechCrunch, Article 11 would impose what amounts, critics say, to a link tax that would hit news aggregators particularly hard. Article 13 would impose direct liability on platforms for their users' copyright infringements. This would push them strongly in the direction of pre-filtering content, a very difficult thing to do without doing harm to fair use and even free speech. Wikipedia's Jimmy Wales was particularly scathing in his response to EU tweets, suggesting that anything covered by Creative Commons would remain untouched. Mr. Wales doubts this, to say the least.

Dave Bittner: [00:06:30] In a very rough-and-ready way, the recording industry and some big publishers have lined up in favor of the law, with the tech industry and a broad spectrum of internet users lined up against it. The law's target seems to be YouTube more than anything else, but there are a great many other interested parties.

Dave Bittner: [00:06:49] The availability of malware toolkits makes it easy for even unsophisticated attackers to spin up effective campaigns. Gadi Naveh is Advanced Threat Prevention Evangelist at Check Point Software, and he offers his perspective on these tools, including how more of them are taking advantage of open source resources.

Gadi Naveh: [00:07:08] So I think we're in a very interesting point in time. Microsoft purchased GitHub, which is the best repository for codesharing. And so I guess it will be very interesting to see the coming future of how Microsoft's ownership of GitHub will affect the sharing of code between companies in general. But definitely we see that we're always one step back from the adversaries which they always use to share data and their code and reuse code as much as they can through open source repositories, like Metasploit project, Kali Linux - which is used, actually, by us defenders - and penetration testings. But definitely all these tools are allowing attackers to get them and to start using it from scratch.

Gadi Naveh: [00:08:05] So I can say that attackers were always using codesharing repositories used by the good guys as well as the bad guys, and they're stepping up their game with a GitHub code that's, for example, the reflective DLL injection code that you can find. And GitHub is used by attackers. We can see obfuscation techniques for JavaScript that is used by commercial purposes to keep your IP safe is also used by - similar techniques are used by attackers. And there's a lot of proliferation between the good guys and the attackers.

Dave Bittner: [00:08:45] And so how does this affect the ability to protect yourself against these hackers? Is it - I mean, when you go in and reverse engineer things, is it a matter of saying, yes, we recognize this code?

Gadi Naveh: [00:08:57] True. Very true that when it's open source and made public, it's always easy to find a signature there to prevent it. But actually, what we see that is used is mostly the grayware or stuff that can be considered very legit when used by one company, but the adversaries can use them as an attacker. And that's kind of the hardest dilemma for security vendors when you have software that can be used for legitimate purposes. For example, even bitcoin mining that we're seeing now, there's some very good usage for this technology, as we can see, but there is definitely adversaries that are putting infected computers with this technology, and then you can't decide if it's a malicious or a legit software, what we call sometimes potentially unwanted software, et cetera.

Dave Bittner: [00:09:55] So we see that very often these bad guys are using toolkits to put together their code. I mean, does the availability of these open source tools, does it lower the bar? Does it make it easier? The point of entry is easier for folks who want to do these bad things?

Gadi Naveh: [00:10:13] True. At availability of these toolkits and open source projects, the attacker doesn't need to have the whole attack chain created by himself, but he just needs to add the latest exploits, sometimes exploits that are living nation-state actors. And these attackers can utilize these into their existing toolkits and create very damaging effects, as we've seen in the WannaCry. They incorporated into their toolkit just a new exploit, the DoublePulsar and the EternalBlue family of exploits, in order to make it wormable. They always just add one step to their arsenal.

Dave Bittner: [00:10:56] That's Gadi Naveh from Check Point.

Dave Bittner: [00:11:00] ZTE gets enough relief from U.S. sanctions to update some of its products. The company's fate and those of other Chinese device manufacturers will be affected by the Sino-America trade war that may or may not be in the offing, and more immediately by whatever sanctioning provisions the U.S. Congress leaves in the 2019 Defense Authorization Act.

Dave Bittner: [00:11:22] Finally, there's been much talk of facial recognition software and the sometimes useful, sometimes problematic applications it offers. How can it be used? What might defeat it? We'll leave uses aside for the moment and consider a new method of defeating it. Blogger and privacy researcher TAHKION has described it, and you Juggalos and Juggalettes out there will be pleased to learn that you're ahead of the curve. That's right. Insane Clown Posse makeup does the trick. The sharply contrasted, black and white cosmetics seem to defeat most facial recognition software. We're having a difficult time figuring out a use case for this dodge since Juggalos and Juggalettes aren't by any reasonable measure inconspicuous. C4ISRNET has some speculation about people getting into military installations using it.

Dave Bittner: [00:12:12] Now, sure, probably the MPs, SPs, Marine guards and so on would ask a question or two if a Juggalo presented himself at the gate in full regalia. But suppose, what if someone used military face camouflage to achieve a similar effect? We're not sure that would work since face camouflage is designed precisely to achieve a vague, blended effect, quite unlike what the Insane Clown Posse wears. Clearly, more research is needed in this matter, but we can think of one good use case. It's now possible to attend an Insane Clown Posse concert while going unrecognized by any automated surveillance that may be in use. Something to think about, barker, the next time you're wailing on your axe.

Dave Bittner: [00:13:01] I'd like to take a minute to tell you about an exciting CyberWire event, the fifth annual Women in Cyber Security reception taking place October 18 at the International Spy Museum's new facility in Washington, D.C. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking, and it brings together leaders from the private sector, academia and government from across the region and women at varying points on the career spectrum. The reception also provides a forum for women seeking cybersecurity careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event. It's just about creating connections.

Dave Bittner: [00:13:47] We're grateful to our sponsors - Northrop Grumman, CenturyLink, Cylance, Accenture, Cooley, T. Rowe Price, VMware, Delta Risk, SecureStrux and Edwards Performance Systems. If your company is interested in supporting this important event, we still have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this event is invitation-only. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you are interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, That's We look forward to hearing from you. We hope to see you there.

Dave Bittner: [00:14:49] And I'm pleased to be joined once again by Justin Harvey. He's the global incident response leader at Accenture. Justin, we have stories come by pretty regularly about quantum computing and how that's going to change things. I'm curious. From your point of view, as an incident response guy, how are you preparing for this? Is this really on your radar?

Justin Harvey: [00:15:09] This is absolutely on our radar. So Accenture recently introduced what we call the Security Tech Vision, which is a look at the future. And the thing we've done is we've essentially put out an argument that the proliferation of quantum computing as we know it, when it becomes generally available - and there are people that think it's two years. There's people that think it's four years. There are people think that it's eight years. Regardless of how many years it's going to take to have quantum computing generally available, it is going to really radically change the game.

Justin Harvey: [00:15:47] And the reason that we think that is that cryptographic systems today, whether it be SSL, be it your identity, be it even blockchain - the way that the algorithms work in order to create a faux currency, if you will - will be essentially vulnerable. When someone's explaining about SSL or encrypting your email - oh, don't worry. No one can break it. It'll take hundreds of years using conventional means. Well, that's using conventional means. And the minute that a vendor comes out with truly a generally available quantum computing technology, those hundreds of years via conventional methods will be able to be compressed down into seconds or minutes.

Justin Harvey: [00:16:35] What I worry about is two things. The first is governments and militaries that will get early access to quantum computing if they don't already have it today. This is quite a powerful capability that nation-states and militaries will highly seek after to have in front of the commercial. And the first nations to truly get this and operationalize it, it will be weaponized. So that will put people's lives in danger. And it really will upend diplomacy even as we know it. Being able to decrypt any cable or transaction from other nation-states will truly change the world stage.

Justin Harvey: [00:17:21] And the second thing that I worry about is once this becomes generally available, once that switch is turned and the first organizations start to get their quantum computing devices or their computers, they will also have to uplift all of the rest of their infrastructure. That's great that it's commercially available. That means other people perhaps even in the cloud can now do the same things that the military can. They can crack something within seconds instead of hundreds of years.

Justin Harvey: [00:17:49] And just because that is available, conventional computing - think of your intrusion detection system. Think about your logging systems, the way that you do analytics today. All of those - the capability isn't rendered useless. It's the amount of data, the sheer amount of data and computing that you would have to view that the adversary could have. From a commercial standpoint, when this is generally available, it is going to be truly a game changer.

Justin Harvey: [00:18:19] That means that there has to be this cascade effect across the entire industry. Now Cisco needs to come out with quantum routers, and now FireEye needs to come out with quantum malware detection capabilities because they simply won't be able to protect themselves using conventional cryptographic means. When this comes, I really hope that not just security, but society is ready for that leap.

Dave Bittner: [00:18:46] Justin Harvey, thanks for joining us.

Justin Harvey: [00:18:48] Thank you.

Dave Bittner: [00:18:53] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:13] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:21] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.